Ann has completed Agency training for a job as a
non-official cover agent at an international oil firm.
But now she's assigned to the release engineering
team at Aloodo, a large Internet company where the
source is open, the culture is wild and free, and
release engineering, without management's knowledge,
installs back doors for the Agency. A change in the
company's elaborate list of security checks means
the Agency needs one more inside person, fast, and
Ann is the only NOC-qualified agent available.

Hijinks ensue as Ann must make it through the
technical interview with a flaky radio connection to
an Aloodo-employed NOC agent for support. When it
fails, she aces the interview by dropping some
petroleum science.

Ann struggles to keep up with both her release
engineering work and her Agency responsibilities.
But when an series of intricate heists has police
baffled, she realizes that the gang is using
information that could only come from within Aloodo.
Do the back doors have back doors? Who are her new
co-workers really working for? Is there anyone she
can trust?

Underground publishing is nice, but what if you want
to run something like an underground newspaper with
an editing process? Or an underground wiki? Or an
underground software or design project?

It seems to me that the tools to do it are already
coming into being, and most of them have corporate
uses, which means that most of the work to implement
this is being done on the clock.

You can start your underground collaboration system
with Git, but in order to actually organize on
work you need an issue tracker, something like
Bugs Everywhere.
Fortunately you can use git as the backend for
miscellaneous collaboration applications using
databranches,
so you can have just Git as the only data store. No
separate database needed for the meta-info such as
status, owner, deadline, comments.

The system doesn't need all of the stuff
in How Git Could Grow into an Enterprise SCM
System,
but it would be nice to have multi-blob files, bup
style,
and essential to have some
kind of network object store.
Tahoe-LAFS?
Or just run a bunch of parts of
enterprise-ish software stacks that
will work as DHT nodes, as Tor hidden services?
Swift?
You could have a variety of network object stores
feeding the same projects, since they're all the same
to Git.

(A first step in adding network object stores
to Git would just be a tool that walks through a
repository and inserts Git objects into the DHT,
or gets objects from the DHT to fill in the gaps.
Eventually the corporate SCM market is going to
need Git repositories larger than the smallest hard
drives they're willing to buy for their code monkeys,
so this is likely to improve.)

Put any references you want to share long-term
into Namecoin and there's
your publishing. To read the publication, a user
would get the reference from Namecoin and populate
a local Git repository with the required objects.
(Naturally most people would use an RSS-reader-like
client to do this.)

For live collaboration action, a group could stand
up a Git repository as a Tor hidden service (using
Gitbucket
would make this not such a tweaky
sysadmin task) or use something like
piehole, with
the etcd instances as hidden services and relying on
the DHT to share objects. Then periodically "archive"
refs to Namecoin.

The final result is subversive as hell but all the
parts are either already done or mainly useful for
Enterprise IT.

I use dlvr.it to share blog posts and
links with Facebook, through the magic of RSS.
Every once in a while I go to the Facebook site to
read comments on something that dlvr.it gatewayed
there for me, but Facebook is not one of the places
I check habitually (see How can I break the Facebook
habit).

Most of the ads that I was getting to start with were
for free-to-play NSFW games, so I changed my profile
to "female". Jackpot! All of a sudden I started
getting much more professional ads, including IT
products and services for big companies, and training
classes for online marketing skills (yes, including
a Facebook ad for a class on how to advertise on
Facebook). What I guess happened is that the more
business-focused advertisers put in gender-neutral
bids, and while I was "male" on the site, they got
outbid by the game companies specifically targeting
male users.

(Dudes, I highly recommend going "female" on Facebook
if you haven't already, especially if you might be
embarrased about people seeing too much décolletage
in the ads when they walk by. So there's your
personal infotainment tip for today.)

But what did I do? I had fixed a problem, so I broke
it some more. I went ahead and stayed female, but
increased my age to 88. Big mistake.

Now, I look at the ads, and I'm getting the
bottom-feeders of the bottom-feeders. The above ad
goes to a page that has nothing to do with a celebrity
scandal. It's some kind of laser surgery racket.
Oh well, the "dynamic corporate IT professional"
ads that I had been getting as a younger woman were
good while they lasted. I don't know if I'm now
getting the low bidders who didn't want to pay more to
reach younger users, or if some of these advertisers
are targeting me.

Bob Hoffman points out that
marketing ignores people over
50
but that's just legit marketing, from the kind of
places that hire people like Bob Hoffman. All those
ad spots that the big brands don't buy are still
getting snapped up, and the result is pretty icky.

Johnson and Johnson, the brand's owner, recalled
all the existing Tylenol, started a campaign to
tell people not to take it, and, most important,
fixed some key security problems.

Bottle seals are expensive.

Redesigning an openable capsule into a solid, coated
caplet is even more expensive.

But the company did it. Today, the Tylenol story is
the classic business-school example of how to save
a product that has a severe security flaw. And I'm
giving the stuff to my kids.

Today is supposed to be "#StopTheNSA" day. I'm just
glad that the people who came up with that weren't
in charge during the Tylenol crisis. Tylenol would
have sponsored a big, attention-getting "#StopTheFBI"
day, while customers quietly swore off the stuff.

One can argue, and maybe I'm the first one to do it,
that all this targeting and audience segmentation might
be creating an internet that's worse for the consumer.
By downplaying the need for context, we're actually
dis-incentivizing the creation of quality content and
environments.

First of all, go read Havoc Pennington's
report
on putting Fedora 20 on a ThinkPad T440s. Good stuff,
and a big reason I bought this machine in the first
place.

The main problems with the T440s from my point of a
view as a long-time Linux/ThinkPad user are...

New power connector again. Just when I got rid of
my last 16V, and had a decent collection of round
20V ones, too. (But the new rectangular connector
is also 20V. Maybe there's a source of just the
connectors and I can break out the soldering iron
and convert a couple of old ones.)

No more hard-wired mouse buttons below the
space bar. More on this below.

Yes, this is the kind of little stuff that Linux
laptop users are down to complaining about, now.
When I was starting out we had to recompile the kernel
just to get PCMCIA working. (What's PCMCIA? Get off
my lawn.)

The Fedora 20 install was easy, as usual. Since I
now have several Fedora, RHEL, and CentOS machines
kicking around at work, I wrote an RPM spec to
depend on or conflict with all the stuff I like to
have or not have, so that I don't have to do as many
"I thought that was already on here, oh well, yum
install" moments.

Clickpad "trouble"

On previous ThinkPads, I only had to use the
"synclient" command once to turn off the TouchPad.
Now, with no hardware mouse buttons, there's some more
tweaking required. Fortunately, people had already
hashed it out in the comments on that Havoc's
Blog piece (you did read it, right?) so
all I had to do was stick the right commands into a
script.
Since I will never remember how to make a .desktop
file, the script will take care of that, too.

So now I have a Synaptics TouchPad that's set up for
just three mouse buttons and for two-finger scroll.
One-finger motion or accidental palm contact does
nothing. Anyone who has claimed that blogging
is dead is clearly Wrong.

Human factors

Nice screen. The speakers have always been a
weak point for ThinkPads compared to other laptop
brands IMHO, but the T440s is a refreshing change.
Not hi-fi, but not pathetic either. Still needs
headphones for extended listening.

The keyboard is similar to the one on the T430,
with island-style keys. At first glance you might
think, oh, crap, another laptop vendor hired an Apple
fanboy as a product manager. But somehow Lenovo
managed to make this keyboard much more usable than
the Apple version. Not sure why, possibly because
the keys each have a slight depression instead of
being pure minimalist RoundRects. Anyway, good
keyboard, and the IBM TrackPoint is unchanged.

Everything just works

Yawn. Have not tried the Ethernet or VGA ports, but
no surprises so far. Let's put it this way: you're
not going to learn anything about reverse engineering,
driver development, or hardware vendor politics here.
It's open box, click buttons, watch cat video time.

Time for another round of license poker?

The mid-range ThinkPads have been stealth Linux boxes
for a long time, so it's not a surprise that this one
is, too. Built from well-supported Intel components,
and there's little if any drama getting the pre-loaded
MS-Windows off, and Linux on.

Speaking of pre-loaded
MS-Windows, well, that's a tough business these
days.
PCs are getting cheaper. But they're not making
much money for their makers. Welcome to the value
trap, writes The Guardian.'s Charles
Arthur. Time for another round of preloaded Linux
laptops, to get a better license deal from Microsoft?
Any time Lenovo needs to do that, this hardware is
ready for it.

Why are the people of Silicon Valley,
including a venture capitalist slash
Stanford professor, seemingly ignorant about
questions that any gun show shopper would
get right the first time? Michael Dearing, in The
NSA and the Corrosion of Silicon Valley, writes,

Inside our companies and research
centers, talented minds are being conscripted into
surveillance. Think about the software developers
who wrote the code behind your email service. Or the
team who built the guts of a blogging service’s
geolocation features. Not one of them chose
to work for the NSA. But their work has been
co-opted, effectively turned into surveillance
tools.

Turned into surveillance tools.

Turned into.

Maybe the gun nuts have just been thinking about this
stuff longer than the Valley crowd has. When the
question of gun registration comes up, nobody
beard-strokingly says, well, we need to reform
the government so that the data collected will never
be used for a confiscation program. Any Second
Amendment fan will jump straight to assuming that
the government, or someone inside the government,
will go Pol Pot on them and do the worst possible
thing with the data.

A good computer programmer doesn't
trust the user's input, or servers
out on the network. Why trust the government?

Maybe there's a simple answer. First, wishful
thinking, and second, ambitious marketing. People
normally interact with companies in a guard-up shopping
mode. Users know that a company
is trying to sell them something, and
protect their internal decision-making
process. But using what Rebecca J. Rosen calls the
Grossest Advertising Strategy of All Time,
a company can try to get inside the user's
decision-making process.

But what if there's a deeper problem.
What if the Valley crowd really does know
that whining about NSA reform is useless?
Even if the marketing is weak, the surveillance
is Good Enough For Government Work. What if, as Christopher
Caldwell suggests, the surveillance-marketing
complex is going through a public-private bonding
period?

Big Data algorithms often escape common
sense and easy regulability. Those who create them
have a powerful incentive—as the designers of
financial derivatives did a decade ago—to render
them opaque. Yet the privacy problem that most
agitates the authors is the prospect that companies
might have to reveal "confidential business strategies
to outsiders." The authors' suggestion of a "privacy
framework...focused less on individual consent at
the time of collection and more on holding data users
[corporations] accountable for what they do" sounds
awfully convenient for the data users. In fact, it
sounds a great deal like the voluntary compliance
that was expected of banks in the Alan Greenspan
era.

That's going to be a problem when the inevitable
"let's disrupt the incumbent" startups come
along. The users and makers of privacy tools could already
go to jail under the Computer
Fraud and Abuse Act. And clearly, regulation
will be more of an aid to the marketing-surveillance
complex than a hindrance. In the system that passed
CAN-SPAM, the most that Congress will come up with is
a a complex set of regulations to protect incumbents
(who have the budget to hire people to figure out the
regulations) from startups (who don't).

So if adtech is so firmly joined to the NSA (and, of
course, to other countries' intelligence agencies)
to the point where disrupting it is, well, they
don't call it "disrupting" when it's the government,
do they? If the surveillance-marketing complex is
really a thing, and not just a bunch of naive IT
vendors being taken advantage of by the big bad NSA,
what can we possibly do?

What's the equivalent of "militia kit" for information
freedom? Has to include something like Disconnect(interview).
Second Amendment defenders don't have to adopt a
Merry Men lifestyle to be effective, and many Fourth
Amendment fans can get by with basic privacy tools
instead of becoming slow-Internet-using PGP/Tor nerds.

Can we strangle surveillance marketing with
easy-to-use off the shelf privacy tools such as
Disconnect? Maybe. The big problem for surveillance
marketing these days is that they can't have adtech,
privacy, and fraud control—they
have to pick two. If the user
base picks privacy for them, then the presence of fraud
rings is a big problem for surveillance marketing.
It's easier for a bot to hide if it can pretend to
be a privacy-sensitive user.

But can users and developers, without advertisers,
squeeze out adtech? Probably not. When I mock
Fourth Amendment fans for failing to protect their
rights as well as the Second Amendment fans do, I'm
leaving out an important fact. The Second Amendment
doesn't have a whole industry devoted to wiping it
out, while the Fourth is under attack from every
"online advertising" line item in every Marketing
budget in the world. And as long as that's true,
you're risking prosecution under the CFAA every time
you block or scramble an ad cookie.

Ouch.

The last piece that needs to come together for this
privacy thing to work at all is for advertisers
to realize that targeted advertising loses the
valuable signal that they're buying ads for in
the first place. The Fourth becomes as easy to
defend as the Second when violating the Fourth
loses its economic constituency, not before.

It looks as if it's impossible for adtech as we know
it to do both. We can't go directly from today's
online ad environment to one that protects privacy.
Current adtech has kicked out some of the essential
supports, so a privacy-sensitive online ad business is
going to have to rebuild some important connections.

Just to review, here's the fundamental value
proposition of adtech.

The fundamental value proposition of these
ad tech companies who are de-anonymizing the Internet
is, "Why spend big CPMs on branded sites when I can get
them on no-name sites?"

That's from Michael
Tiffany, CEO of an adtech security firm called
White Ops.

The ad market, on which we all depend,
started going haywire. Advertisers didn't have to
buy The Atlantic. They could buy ads on
networks that had dropped a cookie on people visiting
The Atlantic. They could snatch our audience right
out from underneath us.

With me so far? Yes, adtech proponents are going
to try to snow you with talk about Big Data and
disruption and all that jibber-jabber, but the object
of the game from the adtech point of view is to track
the users well enough that advertisers don't have
to pay for reputable content.

Can't tell the players without a scorecard

Player one is the adtech firms. Their role
in the game is relatively simple. First,
move ad budgets away from high-value sites to
cheaper ones, you know, the sites that run a
bunch of crappy, infringing, violent, or otherwise Bad
content. And track the same users from
reputable to bottom-feeder sites. Adtech firms are all selling
essentially the same
thing. (Of course, they dress it up with technological-sounding
language but the premise
is simple. Writers cost money. Everybody
needs money. Therefore, take money away from
writers.)

Player two is the actual advertisers, the clients.
For now, just think of them as the parents who are
eventually going to come home and discover the party
and the credit card receipts.

Instead of trying to micromanage cookies, privacy
software developers will be able to deal with a single
big target. Just scramble or block a single Google
identifier and a single Microsoft one. (Facebook will
probably do one, too.) Other companies, though, may
go with sneaky browser fingerprinting, which
requires fixing a bunch of bugs to deal with. But if
Google and Microsoft are both staying away from this
technique, it will be easier for those fixes to make
it through the browser development process.

Now player four. The fraud rings. Remember the
bottom-feeder publishers on which adtech depends?
Well, as you might expect, many of them are
fraudulent. We fill up our site with infringing
copies of other people's content, but we play it
totally honest with our ad networks, said no
one, ever.

Google has everyone else in the game outclassed
technically, but some of the ad fraud gangs have
been able to score a few points against even Google.
And if you can hang with Google, you can clobber the adtech ankle-biters.

More examples in the bonus links below. The deeper
you dig, the more fraud you find.

As Jack Marshall points
out, Manufacturers of false traffic intimately
understand the performance indicators on which
agencies are paid and know exactly how to game the
system without making it obvious as a result. As
Kuntz pointed out, that can lead to agencies tweaking
campaigns and reallocating budgets based on completely
false information, and they have little idea they’re
doing so. Agencies are just following the numbers.

Wait a minute, though. Adtech firms
need to get more data in order to get a
handle on fraud. But they need to get less
data in order to give users some privacy and make
online ads work better. As a matter of fact,
the adtech business needs to do three things at the
same time.

Take money away from reputable sites and
their contributors.

Give users some privacy, because spam carries no
signal.

Limit the amount of fraud in the system before the
clients lose their patience.

But this might be one of those "pick two"
situations. Right now the industry has picked
option 1 already, and is trying for 3. That means
throw away 2. So the current trend is toward Peak Advertising.
The medium will eventually get burned out, like
email spam. That would be a shame.

Which leaves the option that looks to me like the
sound one. Keep 2 and 3, and give up on ripping off
the writers. Of course, this means abandoning the
fundamental value proposition of adtech, so that means
giving up on the whole creepy industry and building
a new one.